Rewrite CA.pl.in
Reformat CA.pl.in to follow coding style. Also add "use strict" and "use warnings" Also modify it to exit properly and report only when succeeded. And some perl tweaks via Richard. Reviewed-by: Richard Levitte <levitte@openssl.org>
This commit is contained in:
parent
23a1d5e97c
commit
5a3aa85252
1 changed files with 173 additions and 182 deletions
343
apps/CA.pl.in
343
apps/CA.pl.in
|
@ -1,175 +1,55 @@
|
||||||
#!/usr/local/bin/perl
|
#!/usr/bin/perl
|
||||||
#
|
#
|
||||||
# CA - wrapper around ca to make it easier to use
|
# Wrapper around the ca to make it easier to use
|
||||||
#
|
# Edit CA.pl.in not CA.pl!
|
||||||
# CA -newca ... will setup the right stuff
|
|
||||||
# CA -newreq[-nodes] ... will generate a certificate request
|
|
||||||
# CA -sign ... will sign the generated request and output
|
use strict;
|
||||||
|
use warnings;
|
||||||
|
|
||||||
|
my $openssl = "openssl";
|
||||||
|
if(defined $ENV{'OPENSSL'}) {
|
||||||
|
$openssl = $ENV{'OPENSSL'};
|
||||||
|
} else {
|
||||||
|
$ENV{'OPENSSL'} = $openssl;
|
||||||
|
}
|
||||||
|
|
||||||
|
my $verbose = 1;
|
||||||
|
|
||||||
|
my $SSLEAY_CONFIG = $ENV{"SSLEAY_CONFIG"};
|
||||||
|
my $DAYS = "-days 365";
|
||||||
|
my $CADAYS = "-days 1095"; # 3 years
|
||||||
|
my $REQ = "$openssl req $SSLEAY_CONFIG";
|
||||||
|
my $CA = "$openssl ca $SSLEAY_CONFIG";
|
||||||
|
my $VERIFY = "$openssl verify";
|
||||||
|
my $X509 = "$openssl x509";
|
||||||
|
my $PKCS12 = "$openssl pkcs12";
|
||||||
|
|
||||||
# default openssl.cnf file has setup as per the following
|
# default openssl.cnf file has setup as per the following
|
||||||
# demoCA ... where everything is stored
|
my $CATOP = "./demoCA";
|
||||||
|
my $CAKEY = "cakey.pem";
|
||||||
|
my $CAREQ = "careq.pem";
|
||||||
|
my $CACERT = "cacert.pem";
|
||||||
|
my $CACRL = "crl.pem";
|
||||||
|
my $DIRMODE = 0777;
|
||||||
|
|
||||||
my $openssl;
|
my $NEWKEY = "newkey.pem";
|
||||||
if(defined $ENV{OPENSSL}) {
|
my $NEWREQ = "newreq.pem";
|
||||||
$openssl = $ENV{OPENSSL};
|
my $NEWCERT = "newcert.pem";
|
||||||
} else {
|
my $NEWP12 = "newcert.p12";
|
||||||
$openssl = "openssl";
|
my $RET = 0;
|
||||||
$ENV{OPENSSL} = $openssl;
|
my $WHAT = shift @ARGV;
|
||||||
}
|
my $FILE;
|
||||||
|
|
||||||
$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
|
# See if reason for a CRL entry is valid; exit if not.
|
||||||
$DAYS="-days 365"; # 1 year
|
sub crl_reason_ok
|
||||||
$CADAYS="-days 1095"; # 3 years
|
{
|
||||||
$REQ="$openssl req $SSLEAY_CONFIG";
|
my $r = shift;
|
||||||
$CA="$openssl ca $SSLEAY_CONFIG";
|
|
||||||
$VERIFY="$openssl verify";
|
|
||||||
$X509="$openssl x509";
|
|
||||||
$PKCS12="$openssl pkcs12";
|
|
||||||
|
|
||||||
$CATOP="./demoCA";
|
if ($r eq 'unspecified' || $r eq 'keyCompromise'
|
||||||
$CAKEY="cakey.pem";
|
|| $r eq 'CACompromise' || $r eq 'affiliationChanged'
|
||||||
$CAREQ="careq.pem";
|
|| $r eq 'superseded' || $r eq 'cessationOfOperation'
|
||||||
$CACERT="cacert.pem";
|
|| $r eq 'certificateHold' || $r eq 'removeFromCRL') {
|
||||||
$CACRL="crl.pem";
|
|
||||||
|
|
||||||
$DIRMODE = 0777;
|
|
||||||
|
|
||||||
$RET = 0;
|
|
||||||
|
|
||||||
foreach (@ARGV) {
|
|
||||||
if ( /^(-\?|-h|-help)$/ ) {
|
|
||||||
print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
|
|
||||||
print STDERR " CA -crl|-revoke cert-filename [reason]\n";
|
|
||||||
exit 0;
|
|
||||||
} elsif (/^-newcert$/) {
|
|
||||||
# create a certificate
|
|
||||||
system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS");
|
|
||||||
$RET=$?;
|
|
||||||
print "Certificate is in newcert.pem, private key is in newkey.pem\n"
|
|
||||||
} elsif (/^-newreq$/) {
|
|
||||||
# create a certificate request
|
|
||||||
system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS");
|
|
||||||
$RET=$?;
|
|
||||||
print "Request is in newreq.pem, private key is in newkey.pem\n";
|
|
||||||
} elsif (/^-newreq-nodes$/) {
|
|
||||||
# create a certificate request
|
|
||||||
system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS");
|
|
||||||
$RET=$?;
|
|
||||||
print "Request is in newreq.pem, private key is in newkey.pem\n";
|
|
||||||
} elsif (/^-newca$/) {
|
|
||||||
# if explicitly asked for or it doesn't exist then setup the
|
|
||||||
# directory structure that Eric likes to manage things
|
|
||||||
$NEW="1";
|
|
||||||
if ( "$NEW" || ! -f "${CATOP}/serial" ) {
|
|
||||||
# create the directory hierarchy
|
|
||||||
mkdir $CATOP, $DIRMODE;
|
|
||||||
mkdir "${CATOP}/certs", $DIRMODE;
|
|
||||||
mkdir "${CATOP}/crl", $DIRMODE ;
|
|
||||||
mkdir "${CATOP}/newcerts", $DIRMODE;
|
|
||||||
mkdir "${CATOP}/private", $DIRMODE;
|
|
||||||
open OUT, ">${CATOP}/index.txt";
|
|
||||||
close OUT;
|
|
||||||
open OUT, ">${CATOP}/crlnumber";
|
|
||||||
print OUT "01\n";
|
|
||||||
close OUT;
|
|
||||||
}
|
|
||||||
if ( ! -f "${CATOP}/private/$CAKEY" ) {
|
|
||||||
print "CA certificate filename (or enter to create)\n";
|
|
||||||
$FILE = <STDIN>;
|
|
||||||
|
|
||||||
chop $FILE;
|
|
||||||
|
|
||||||
# ask user for existing CA certificate
|
|
||||||
if ($FILE) {
|
|
||||||
cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
|
|
||||||
cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
|
|
||||||
$RET=$?;
|
|
||||||
} else {
|
|
||||||
print "Making CA certificate ...\n";
|
|
||||||
system ("$REQ -new -keyout " .
|
|
||||||
"${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ");
|
|
||||||
system ("$CA -create_serial " .
|
|
||||||
"-out ${CATOP}/$CACERT $CADAYS -batch " .
|
|
||||||
"-keyfile ${CATOP}/private/$CAKEY -selfsign " .
|
|
||||||
"-extensions v3_ca " .
|
|
||||||
"-infiles ${CATOP}/$CAREQ ");
|
|
||||||
$RET=$?;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} elsif (/^-pkcs12$/) {
|
|
||||||
my $cname = $ARGV[1];
|
|
||||||
$cname = "My Certificate" unless defined $cname;
|
|
||||||
system ("$PKCS12 -in newcert.pem -inkey newkey.pem " .
|
|
||||||
"-certfile ${CATOP}/$CACERT -out newcert.p12 " .
|
|
||||||
"-export -name \"$cname\"");
|
|
||||||
$RET=$?;
|
|
||||||
print "PKCS #12 file is in newcert.p12\n";
|
|
||||||
exit $RET;
|
|
||||||
} elsif (/^-xsign$/) {
|
|
||||||
system ("$CA -policy policy_anything -infiles newreq.pem");
|
|
||||||
$RET=$?;
|
|
||||||
} elsif (/^(-sign|-signreq)$/) {
|
|
||||||
system ("$CA -policy policy_anything -out newcert.pem " .
|
|
||||||
"-infiles newreq.pem");
|
|
||||||
$RET=$?;
|
|
||||||
print "Signed certificate is in newcert.pem\n";
|
|
||||||
} elsif (/^(-signCA)$/) {
|
|
||||||
system ("$CA -policy policy_anything -out newcert.pem " .
|
|
||||||
"-extensions v3_ca -infiles newreq.pem");
|
|
||||||
$RET=$?;
|
|
||||||
print "Signed CA certificate is in newcert.pem\n";
|
|
||||||
} elsif (/^-signcert$/) {
|
|
||||||
system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
|
|
||||||
"-out tmp.pem");
|
|
||||||
system ("$CA -policy policy_anything -out newcert.pem " .
|
|
||||||
"-infiles tmp.pem");
|
|
||||||
$RET = $?;
|
|
||||||
print "Signed certificate is in newcert.pem\n";
|
|
||||||
} elsif (/^-verify$/) {
|
|
||||||
if (shift) {
|
|
||||||
foreach $j (@ARGV) {
|
|
||||||
system ("$VERIFY -CAfile $CATOP/$CACERT $j");
|
|
||||||
$RET=$? if ($? != 0);
|
|
||||||
}
|
|
||||||
exit $RET;
|
|
||||||
} else {
|
|
||||||
system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem");
|
|
||||||
$RET=$?;
|
|
||||||
exit $RET;
|
|
||||||
}
|
|
||||||
} elsif (/^-crl$/) {
|
|
||||||
system ("$CA -gencrl -out $CATOP/crl/$CACRL");
|
|
||||||
$RET=$?;
|
|
||||||
print "Generated CRL is in $CATOP/crl/$CACRL\n" if (!$RET);
|
|
||||||
} elsif (/^-revoke$/) {
|
|
||||||
my $cname = $ARGV[1];
|
|
||||||
if (!defined $cname) {
|
|
||||||
print "Certificate filename is required; reason optional.\n";
|
|
||||||
exit 1;
|
|
||||||
}
|
|
||||||
my $reason = $ARGV[2];
|
|
||||||
$reason = " -crl_reason $reason"
|
|
||||||
if defined $reason && crl_reason_ok($reason);
|
|
||||||
my $cmd = "$CA -revoke \"$cname\"".$reason;
|
|
||||||
system ($cmd);
|
|
||||||
$RET=$?;
|
|
||||||
exit $RET;
|
|
||||||
} else {
|
|
||||||
print STDERR "Unknown arg $_\n";
|
|
||||||
print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
|
|
||||||
print STDERR " CA -crl|-revoke cert-filename [reason]\n";
|
|
||||||
exit 1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
exit $RET;
|
|
||||||
|
|
||||||
sub crl_reason_ok {
|
|
||||||
my ($r) = shift;
|
|
||||||
if ($r eq 'unspecified' || $r eq 'keyCompromise' ||
|
|
||||||
$r eq 'CACompromise' || $r eq 'affiliationChanged' ||
|
|
||||||
$r eq 'superseded' || $r eq 'cessationOfOperation' ||
|
|
||||||
$r eq 'certificateHold' || $r eq 'removeFromCRL') {
|
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
print STDERR "Invalid CRL reason; must be one of:\n";
|
print STDERR "Invalid CRL reason; must be one of:\n";
|
||||||
|
@ -179,19 +59,130 @@ sub crl_reason_ok {
|
||||||
exit 1;
|
exit 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub cp_pem {
|
# Copy a PEM-format file; return like exit status (zero means ok)
|
||||||
|
sub copy_pemfile
|
||||||
|
{
|
||||||
my ($infile, $outfile, $bound) = @_;
|
my ($infile, $outfile, $bound) = @_;
|
||||||
open IN, $infile;
|
my $found = 0;
|
||||||
open OUT, ">$outfile";
|
|
||||||
my $flag = 0;
|
open IN, $infile || die "Cannot open $infile, $!";
|
||||||
|
open OUT, ">$outfile" || die "Cannot write to $outfile, $!";
|
||||||
while (<IN>) {
|
while (<IN>) {
|
||||||
$flag = 1 if (/^-----BEGIN.*$bound/) ;
|
$found = 1 if /^-----BEGIN.*$bound/;
|
||||||
print OUT $_ if ($flag);
|
print OUT $_ if $found;
|
||||||
if (/^-----END.*$bound/) {
|
$found = 2, last if /^-----END.*$bound/;
|
||||||
|
}
|
||||||
close IN;
|
close IN;
|
||||||
close OUT;
|
close OUT;
|
||||||
return;
|
return $found == 2 ? 0 : 1;
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Wrapper around system; useful for debugging. Returns just the exit status
|
||||||
|
sub run
|
||||||
|
{
|
||||||
|
my $cmd = shift;
|
||||||
|
print "====\n$cmd\n" if $verbose;
|
||||||
|
my $status = system($cmd);
|
||||||
|
print "==> $status\n====\n" if $verbose;
|
||||||
|
return $status >> 8;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
if ( $WHAT =~ /^(-\?|-h|-help)$/ ) {
|
||||||
|
print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
|
||||||
|
print STDERR " CA -pkcs12 [certname]\n";
|
||||||
|
print STDERR " CA -crl|-revoke cert-filename [reason]\n";
|
||||||
|
exit 0;
|
||||||
|
}
|
||||||
|
if ($WHAT eq '-newcert' ) {
|
||||||
|
# create a certificate
|
||||||
|
$RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS");
|
||||||
|
print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
|
||||||
|
} elsif ($WHAT eq '-newreq' ) {
|
||||||
|
# create a certificate request
|
||||||
|
$RET = run("$REQ -new -keyout $NEWKEY -out $NEWREQ $DAYS");
|
||||||
|
print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0;
|
||||||
|
} elsif ($WHAT eq '-newreq-nodes' ) {
|
||||||
|
# create a certificate request
|
||||||
|
$RET = run("$REQ -new -nodes -keyout $NEWKEY -out $NEWREQ $DAYS");
|
||||||
|
print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0;
|
||||||
|
} elsif ($WHAT eq '-newca' ) {
|
||||||
|
# create the directory hierarchy
|
||||||
|
mkdir ${CATOP}, $DIRMODE;
|
||||||
|
mkdir "${CATOP}/certs", $DIRMODE;
|
||||||
|
mkdir "${CATOP}/crl", $DIRMODE ;
|
||||||
|
mkdir "${CATOP}/newcerts", $DIRMODE;
|
||||||
|
mkdir "${CATOP}/private", $DIRMODE;
|
||||||
|
open OUT, ">${CATOP}/index.txt";
|
||||||
|
close OUT;
|
||||||
|
open OUT, ">${CATOP}/crlnumber";
|
||||||
|
print OUT "01\n";
|
||||||
|
close OUT;
|
||||||
|
# ask user for existing CA certificate
|
||||||
|
print "CA certificate filename (or enter to create)\n";
|
||||||
|
$FILE = <STDIN>;
|
||||||
|
chop $FILE;
|
||||||
|
if ($FILE) {
|
||||||
|
copy_pemfile($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
|
||||||
|
copy_pemfile($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
|
||||||
|
} else {
|
||||||
|
print "Making CA certificate ...\n";
|
||||||
|
$RET = run("$REQ -new -keyout"
|
||||||
|
. " ${CATOP}/private/$CAKEY"
|
||||||
|
. " -out ${CATOP}/$CAREQ");
|
||||||
|
$RET = run("$CA -create_serial"
|
||||||
|
. " -out ${CATOP}/$CACERT $CADAYS -batch"
|
||||||
|
. " -keyfile ${CATOP}/private/$CAKEY -selfsign"
|
||||||
|
. " -extensions v3_ca"
|
||||||
|
. " -infiles ${CATOP}/$CAREQ") if $RET == 0;
|
||||||
|
print "CA certificate is in ${CATOP}/$CACERT\n" if $RET == 0;
|
||||||
|
}
|
||||||
|
} elsif ($WHAT eq '-pkcs12' ) {
|
||||||
|
my $cname = $ARGV[1];
|
||||||
|
$cname = "My Certificate" unless defined $cname;
|
||||||
|
$RET = run("$PKCS12 -in $NEWCERT -inkey $NEWKEY"
|
||||||
|
. " -certfile ${CATOP}/$CACERT"
|
||||||
|
. " -out $NEWP12"
|
||||||
|
. " -export -name \"$cname\"");
|
||||||
|
print "PKCS #12 file is in $NEWP12\n" if $RET == 0;
|
||||||
|
} elsif ($WHAT eq '-xsign' ) {
|
||||||
|
$RET = run("$CA -policy policy_anything -infiles $NEWREQ");
|
||||||
|
} elsif ($WHAT eq '-sign' ) {
|
||||||
|
$RET = run("$CA -policy policy_anything -out $NEWCERT -infiles $NEWREQ");
|
||||||
|
print "Signed certificate is in $NEWCERT\n" if $RET == 0;
|
||||||
|
} elsif ($WHAT eq '-signCA' ) {
|
||||||
|
$RET = run("$CA -policy policy_anything -out $NEWCERT"
|
||||||
|
. " -extensions v3_ca -infiles $NEWREQ");
|
||||||
|
print "Signed CA certificate is in $NEWCERT\n" if $RET == 0;
|
||||||
|
} elsif ($WHAT eq '-signcert' ) {
|
||||||
|
$RET = run("$X509 -x509toreq -in $NEWREQ -signkey $NEWREQ"
|
||||||
|
. " -out tmp.pem");
|
||||||
|
$RET = run("$CA -policy policy_anything -out $NEWCERT"
|
||||||
|
. " -infiles tmp.pem") if $RET == 0;
|
||||||
|
print "Signed certificate is in $NEWCERT\n" if $RET == 0;
|
||||||
|
} elsif ($WHAT eq '-verify' ) {
|
||||||
|
my @files = @ARGV ? @ARGV : ( $NEWCVERT );
|
||||||
|
foreach $file (@files) {
|
||||||
|
my $status = run("$VERIFY -CAfile ${CATOP}/$CACERT $file");
|
||||||
|
$RET = $status if $status != 0;
|
||||||
|
}
|
||||||
|
} elsif ($WHAT eq '-crl' ) {
|
||||||
|
$RET = run("$CA -gencrl -out ${CATOP}/crl/$CACRL");
|
||||||
|
print "Generated CRL is in ${CATOP}/crl/$CACRL\n" if $RET == 0;
|
||||||
|
} elsif ($WHAT eq '-revoke' ) {
|
||||||
|
my $cname = $ARGV[1];
|
||||||
|
if (!defined $cname) {
|
||||||
|
print "Certificate filename is required; reason optional.\n";
|
||||||
|
exit 1;
|
||||||
|
}
|
||||||
|
my $reason = $ARGV[2];
|
||||||
|
$reason = " -crl_reason $reason"
|
||||||
|
if defined $reason && crl_reason_ok($reason);
|
||||||
|
$RET = run("$CA -revoke \"$cname\"" . $reason);
|
||||||
|
} else {
|
||||||
|
print STDERR "Unknown arg \"$WHAT\"\n";
|
||||||
|
print STDERR "Use -help for help.\n";
|
||||||
|
exit 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
exit $RET;
|
||||||
|
|
Loading…
Reference in a new issue